Hi I was resently setting up my new firewall usimng openwrt on a linksys. I got around to setting up my adsl connection and added into my iptables these commands $IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -t filter -A FORWARD -o $WANADSL -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPT -t nat -A POSTROUTING -o $WANADSL -j MASQUERADE which is what I have normally done. http traffic worked well, but ftp of large files, timed out, sign of a mtu problem. It worked when I ftp'ed from the firewall, but not when I did it from behind the firewall. When I did some tcpdumps, I noticed that the second connection created by the client wasn't being clamp'ed. The way I figure it was that the second connection was related to the first one, and thus being consumed by the first line in iptables (above) Once I changed the order of line 1 and 2 every thing worked fine. Now openwrt uses 2.4.30, and my previous firewall used 2.6 and I believe it was setup as shown above and it worked fine. The other difference is that conntrack_ftp is compiled into the kernel. Is this a know feature/bug ? why has it worked in 2.6 and not in 2.4 or is the problem in compiled in and as a module Alex
Attachment:
signature.asc
Description: Digital signature
